Cloudflare Workers Serve Static Middleware, Path Traversal, CVE-2024-XXXX (Medium)

Listen to this Post

The vulnerability resides in the path resolution logic of the Serve Static Middleware configured for the Cloudflare Workers adapter. When processing an incoming HTTP request for a static asset, the middleware takes the user-supplied URL path and directly uses it to form a lookup key for the Workers asset storage (e.g., env.ASSETS.fetch(request)). It fails to properly sanitize or restrict this path, allowing sequences like `../../../` or other path traversal payloads. An attacker can craft a request like `GET /static/../../../WRONG_KEY` which, when naively concatenated or resolved, bypasses the intended directory scope. The constructed key is then used to fetch from the asset namespace, which may contain internal, non-public keys. This results in the server returning assets associated with the attacker-chosen key, leading to unauthorized information disclosure of any readable asset within the same storage bindings, without the ability to write or execute code.
Platform: Cloudflare Workers
Version: Adapter Middleware
Vulnerability: Path Traversal
Severity: Medium
date: 2024-10-XX

Prediction: 2024-11-15

What Undercode Say:

curl -v “https://target.workers.dev/static/../../../env_config.json”
Attempts to traverse to parent directories in asset key namespace.

cat > probe_paths.txt << 'EOF'

../ASSETS

../../KEY

…/./config

EOF

while read path; do curl -s “https://target.workers.dev/static/$path”; done

Exploit:

Craft malicious path traversal requests to access keys like ../PRODUCTION_API_KEY, ../../config/internal.json. Automated scanning for directory traversal in the `/static/` endpoint.

Protection from this CVE

Update middleware. Implement strict path validation, normalize and restrict to intended subdirectory, use allowlists for allowed keys, sanitize user input before key formation.

Impact:

Information disclosure of internal asset keys and files stored in Workers asset storage, potentially exposing configuration, secrets, or non-public data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top